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1.0 (U) SCOPE 
1.1 (U) Objective 


(UTFOCO} This Statement of Work, hereafter referred to as the “SOW”, defines the 
Government’s minimum essential requirements and the tasks to be performed to design, develop, 
fabricate, test and document the 100G Ethernet Encryptor (100G EE). The 100G EE Project shall 
develop a Type-1 100G EE that supports the encryption/decryption of classified information up 
to the TOP SECRET/SCI level. The SOW addresses applicable documents, development 
program implementation requirements and deliverables. It also includes the associated program 
management, engineering, logistic support planning and an option for procurement of production 
units under an Indefinite Delivery Indefinite Quantity (IDIQ) Contractor Line Item Number 
(CLIN). 





(UAFOEO} It is envisioned that the 


























(U) An incremental approach to supporting ESS 1.0 and future encryption algorithms (e.g. Suite 
A) shall be implemented in the design of the equipment, through firmware and software 
upgrades only. Use of international standards and commercial off-the-shelf technology shall be 
applied to the greatest extent possible to maximize compatibility with commercial equipment and 
to minimize procurement cost and schedule. 


1.2 (U) Background 


(U) In-Line Network Encryptors (INEs) for networks have historically used Asynchronous 
Transfer Mode (ATM), Internet Protocol (IP), and Synchronous Optical Network (SONET) 
protocols. INEs have been fielded at OC-768 (40 Gbps) speeds for SONET. The 100G EE will 
satisfy the need for a Network Encryptor operating at Ethernet layer at speeds up to and 
including 100Gbps. 


(U) The 100G EE will be optimized for general frame based link protection providing selectable 
traffic flow security for GbE networks. The 100G EE will be used to encrypt and decrypt U.S 
Government classified information transmitted over commercial 100 Gigabit Ethernet interfaces 
in terrestrial optical networks. This high assurance Ethernet encryption device must be 
compatible with the 100G Ethernet Encryptor Functional Specification, hereafter referred to as 
the “100G EE SPEC”, attached to the contract. The 100G EE SPEC defines Increment 1 
requirements that are a subset of ESS 1.0. Where there is a conflict the 100G EE SPEC will take 
precedence over ESS 1.0. 


1.3 (U) Government Risk Reduction 
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2.0 (U) APPLICABLE DOCUMENTS 


(U) The following documents form a part of this SOW. Unless otherwise indicated, the version 
in effect on the date of contract award shall apply. 
documents referenced herein and the contents of this SOW, the contents of this SOW shall be 


considered a superseding requirement. 


2.1 (U) Government Documents 


In the event of conflict between the 






































Identification Date Title 
100G EE SPEC 5 DEC 2014 | Functional Specification for the 100G EE Equipment 
Development Version 1.2.1 
IASRD 14 MAR 2014 | IASRD 13-16, National Security Agency Information 
Assurance Security Requirements Directive TASRD) 
Tailored for the 100G EE 
TSRD 15 Nov 2013. | TSRD 13-16 Version C, National Security Agency 
Telecommunications Security Requirements 
Document (TSRD) Tailored for the 100G EE 
Ethernet Security 09 Sep 2013 | Ethernet Security Specification v1.0 
Specification (ESS) 
v1.0 
NISPOM 28 Feb 2006 | National Industrial Security Operations Manual 
(NISPOM), DOD 5220.22-M 
NSM 1 Nov 2012 | NRO Security Manual 
NSA/CSS Policy 05 Aug 2005 | Control of Communications Security (COMSEC) 
Manual No. 3-16 Material 
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2.2 (U) Commercial or Non-Government Standards 














Identification Date Title 
ANSI/EIA-748-B Jun 2007 Industry Guidelines for Earned Value 
Management Systems 
GR-63-CORE Apr 2012. | NEBS™ Requirements: Physical Protection, 
Telcordia Technologies, GR-63-CORE, Issue 
Number 4 
GR-1089-CORE May 2011 | Electromagnetic Compatibility (EMC) and 


Electrical Safety — Generic Criteria for Network 
Telecommunications Equipment, Telcordia 
Technologies, GR-1089-CORE, Issue Number 6 
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3.0 (U) REQUIREMENTS 
3.1 (U) General 


(UFFECO) This SOW describes the requirements for the design, development, fabrication, 
testing and documentation of the 100G EE in accordance with (IAW) the 100G EE SPEC, the 
National Security Agency (NSA) Information Assurance Security Requirements Directive as 
Tailored for the 100G EE (hereinafter referred to as the “IASRD”), the NSA 
Telecommunications Security Requirements Document (hereinafter referred to as the “TSRD”), 
and other applicable documents listed in Section 2.0 and the requirements of this SOW. 





(U/FOUS) The Government intends to achieve compliance with ESS 1.0 























(U77FUUO) The Contractor shall provide all the data items in the Contact Data Requirements 
List (CDRL) as specified by this SOW. 


3.1.1 (U) Project Management and Schedule 


(U) The Contractor shall provide the necessary program management to successfully conduct all 
tasks under this contract. The Contractor shall provide a Program Management Plan (PMP) 
IAW CDRL A003. The PMP shall include a narrative that discusses the associated risks with 
each phase of the program. The Contractor shall recommend alternative approaches to high-risk 
design areas throughout the preliminary and critical design phases of this development effort. 
The Government will evaluate all recommendations to determine if implementation is in the best 
interest of the Government. 


(U) The Contractor shall create and provide a Contract Work Breakdown Structure (CWBS) and 
dictionary that defines all CWBS elements (CDRL A008). 


(U) The Contractor shall develop, maintain, and provide an Integrated Master Schedule (IMS) 
for all contract CLINs, IAW CDRL A010. The Contractor shall define the schedule to be 
followed during the contract such that the initial design, development, fabrication, testing and 
documentation are completed and all deliverables are submitted [AW the period of performance 
in Section F of the contract. Major milestones and all reviews shall be identified in the IMS. 


(U) The Contractor shall provide quarterly Contract Funds Status Reports (CFSR) (CDRL 
A012). 


3.1.2 (U) Program Reviews 
3.1.2.1 (U) Major Program Reviews 


(U) The Contractor shall schedule and conduct the major program reviews identified below with 
Government participation. The Contractor shall prepare and forward agendas and briefing charts 
in advance of each major program review (a through f below), IAW CDRL A006. The 
Contractor shall keep minutes of each review, to include action item lists and action closure, and 
shall submit them to the Government, IAW CDRL A002. The Contractor shall accommodate up 
to 20 Government representatives at each of these reviews, and shall ensure that the conference 
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can be conducted at the SECRET level. The Contractor shall deliver the final as-briefed (with 
corrections) Design Review package, [AW CDRL A006. The Major Program Reviews shall be: 


Post Award Conference (PAC), 30 days after date of initial award determination. 


b. System Requirements Review (SRR) at the conclusion of the System Requirements 
Definition Phase, 


Preliminary Design Review (PDR) at the conclusion of the Preliminary Design Phase, 
d. Critical Design Review (CDR) at the conclusion of the Detailed Design Phase. 


e. Test Readiness Review (TRR) after completion of dry run testing and prior to formal (i.e. 
Government witnessed) System Test. 


f. End Product Acceptance Review (EPAR) after completion of all prior phases and unit 
testing. 


a ay (U) Program Management Reviews 


(U) The Program Management Reviews (PMRs) shall encompass all aspects of the program (1.e., 
cost, schedule, technical performance, etc.). Typically, PMRs will be held at the Contractor’s 
facility; however, two (2) per year will be conducted in the Baltimore/Washington, D.C. area. 
The Contractor shall plan for the first PMR to occur one (1) month after contract award at the 
Contractor’s facility. Following the first PMR, the Contractor shall plan on one PMR 
approximately every 30 days for the period of performance of the contract. Prior to each PMR, 
the Contractor shall prepare and forward the agenda and briefing charts, IAW CDRL A001. 
Also, the Contractor shall keep minutes of each review, to include action item lists and action 
closure, and submit them to the Government, IAW CDRL A002. The Contractor shall provide 
interim updates to the Government via a short duration weekly status call. 


3.1.2.3 (U) Technical Exchange Meetings 


(U) The Contractor shall host Technical Exchange Meetings (TEMs) as necessary or as directed 
by the Government to resolve complex technical issues facing the program. The Contractor shall 
also include travel, preparation and follow-up engineering time, for up to four (4) offsite TEMs. 
Travel expenses can be budgeted on transportation costs coast-to-coast, per-diem costs and 
salaries for up to three engineers per meeting. Trades in the total number of meetings, number of 
attendees and location shall be adjudicated with the Government based on technical requirements 
to achieve the objectives of the contract. The Contractor shall keep minutes of each meeting, to 
include action item lists and action closure, and shall submit them to the Government, [AW 
CDRL A002. 


3.1.3. (U) Technical Data 
(U) The Contractor shall prepare and maintain a Data Accession List IAW CDRL A013. 
3.1.4 (U) COMSEC Account & Key Storage 


(U) The Contractor shall obtain an NSA COMSEC account and maintain it in accordance with 
the NSA/CSS Policy Manual No. 3-16. The Contractor shall maintain this account for the 
duration of the contract. This COMSEC account is for the secure communication equipment, 
cryptographic keying material for this equipment, for the 100G EE cryptovariables, the 100G EE 
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boards and the 100G EE themselves. The Contractor shall enter these devices into COMSEC 
accountability. 


3.2 (U) Personnel and Facilities 


(U) The Contractor shall provide personnel, equipment and facilities to perform the work 
required by this SOW. The Contractor shall provide cleared personnel and facilities for 
performing security relevant tasks. Technical lead personnel and personnel performing security 
related tasks or requiring access to classified design documentation shall have at least SECRET 
clearances. Security related tasks include systems design, hardware design, software design, and 
system test of security functions within the system’s INFOSEC boundary, program management, 
and security critical aspects of production. 


3.3 (U) Technical Tasks 
3.3.1 (U) 100G EE Design & Development 


(UFFOEYO). The Contractor shall design, develop and fabricate 100G EE unit(s) to be compliant 
with the Government provided requirements documents IAW the design and development 
methodology of Section 3.4. The Contractor shall test the 100G EE units to ensure that they meet 
said requirements IAW Section 3.5. The Contractor shall continue to support the 100G EE 
development through successful completion of the Government’s certification process. 


3.3.2 (U) System and System Security Engineering 


(U) The Contractor shall provide System and System Security Engineering support to execute 
the 100G EE requirements development, functional allocation and verification, system design 
integration. The Contractor shall develop and document configuration/initialization, 
management and operational concepts for the unit (CDRL B002). The Contractor shall ensure 
the 100G EE units are functional, cryptographically interoperable and operate in a secure manner 
when integrated into 100 GbE based networks with commercial networking equipment using 
standards based networking protocols. 


3.3.2.1 Ethernet Control Processing 


o (U) The Contractor shall perform engineering analysis to determine which control 
protocols will be discarded, peered or encrypted/decrypted in support of each 
Ethernet Data Encryption (EDE) device type required by increment 1. The control 
processing may differ based on EDE device type. The analysis should also study the 
need to bypass protocol control information. 

o (U) The Contractor shall perform engineering analysis to determine the proper 
amount of memory needed to support flow control and typical network operations 
given the maximum distances supported on the interfaces 


3.3.2.2 Secure Management Information Base (MIB) Development. 


(U/FOEO) As previously stated, ESS 1.0 describes the use of public standards for an EDE. The 
public standards (IEEE 802.lae and 802.1X) define a portion of the Management Information 
Base (MIB) for use with network management protocols in the Internet community. The 
standards further describe “Security Considerations” for some of the management objects 
defined in the MIB. 
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(U/AFOUOU) The Contractor shall provide System Security Engineering support when developing 
the MIBs required in the 100G EE Spec. The Contractor shall perform an analysis to determine 
additional access restrictions to secure MIB objects and apply the results of this analysis to the 
delivered MIB. 


3.3.2.3 System Requirements Management 


(UFFEHC) The Contractor shall develop the Software/Hardware Requirements Specification 
(SHRS) (CDRL C005). The Contractor shall work with the Government to ensure that the 
SHRS is consistent and complete relative to the Contractor developed CONOPs (CDRL BO002) 
and the 100G EE SPEC. 


(UFO 80) The Contractor shall update and maintain configuration of the SHRS for the duration 
of the contract. The coordination of the design with the SHRS shall include monitoring, review, 
coordination and allocation of 100G EE requirements into lower-level specifications and internal 
interface documents. In addition, the SHRS shall be used to ensure sufficient test coverage for 
all testing in general, and for functional and security testing in particular. 


3.3.3 (U) 100G EE EDM 


(U) The Government plans to use 100G EE Engineering Development Model (EDM) units as an 
early form, fit and function integration device for system end-to-end tests. As such, the 
Contractor shall fabricate, assemble and test the quantity of non-NSA certified 100G EE EDM 
units as required in Section 4.2 of this SOW. To the maximum extent practicable, the 100G EE 
EDM(s) shall use identical parts as those in the production 100G EE units. The 100G EE 
EDM(s) shall complete the functional tests per Section 3.5 below and be fully operational. 


3.3.4 (U) 100G EE Increment 2 Requirements Analysis 


(U) ESS 1.0 describes the use of public standards for Ethernet Data Encryption (EDE) protecting 
a National Security System (NSS). ESS 1.0 provides the requirements and recommended 
functionality for an NSS EDE device supporting a variety of network architectures. The ultimate 
goal of the 100G EE program is to produce a unit that is fully compliant with ESS 1.0. This goal 
must be balanced with the need to develop the unit under a tightly controlled schedule; therefore, 
some of the mandatory requirements in ESS 1.0 will not be required in the initial increment. 


(U4FEGO) The Contractor shall work with the Government to conduct an Increment 2 
requirements analysis for an ESS 1.0 compliant 100G EDE. The Increment 2 analysis shall start 
upon completion of the Increment | SRR. Increment 2 shall include support for both a key 
agreement protocol and pre-shared keys. The Contractor shall identify requirements, architecture 
and certification details for upgrade with firmware and software only upgrades. 


(U/FOCGS) The Contractor shall work closely with the Government to conduct trades including 
key management trade on EAP-TLS, EAP-Internet Key Exchange or KMI aware, PDE enable 
device. For the purposes of this effort, EAP-TLS implemented per RFC-5216 may be considered 
“optional” as opposed to “mandatory” for ESS 1.0. 
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(U) The Contractor shall perform engineering analysis to propose a method to support up to 4 
priority queues and estimate the additional cost/schedule needed to support priority based flow 
control over a simple single queue scenario. 


(U) The Contractor shall determine which control protocols will be discarded, peered or 
encrypted/decrypted in support of each EDE device type specified in ESS 1.0. The Government 
is aware that the IEEE Ethernet specifications are still maturing with respect to layer 2 control 
protocols to realize the prescribe EDE device types in real networks. The contractor shall 
analyze the relevant draft IEEE specifications, identify issues, present options and attempt to 
integrate the draft IEEE specification with ESS 1.0. 


(U) The Contractor shall document the Increment 2 architecture, CONOPs and trade results [AW 
CDRL BO0O1. The report shall contain a Rough Order of Magnitude (ROM) cost and schedule 
estimate to productize and obtain NSA certification of the Increment 2 architecture. The 
contractor shall document Increment 2 system-level requirements IAW CDRL C005 and conduct 
an Increment 2 SRR. 


3.3.5 (U) Engineering Analysis and Support Task (CLIN0002) 


(U) The Contractor shall perform engineering analysis and support tasks as required by the 
program office, under separate task orders within CLINO002. For example, the program office 
expects that from time to time, 100G EE users may come forward with requests for additional 
analysis or ad hoc support tasks. The Contractor will use this task as the means to accomplish 
this scope. 


(U) The Contractor shall provide the appropriate labor skill set mix to accomplish the tasks. The 
Contractor shall deliver the results of the analysis to the Government with a Technical Report 
IAW CDRL BO003. The initial pool of hours shall include a mixed skill set of 4,000 hours. 


(U) The Contractor shall work with Government to demonstrate that the 100G EE devices can 
communicate with each other in Government lab environment. The Contractor shall review 
Government produced test plan/procedures. The testing shall ensure that the 100G EE devices 
are interoperable with commercial networking products. The testing will be conducted using 
EDM units at multiple sites within the Washington DC metro area. The Contractor shall provide 
on-site integration and testing support for two trips to Washington DC metro area and remote 
teleconference support for the duration of the testing. 


3.3.6 (U) Indefinite Delivery Indefinite Quantity (IDIQ) - OPTION (CLIN 0003) 


(U) The Contractor shall deliver additional 100G EE productions units as required under an 
Indefinite Delivery Indefinite Quantity (IDIQ) CLIN. The Contractor shall fabricate, test and 
deliver the quantity of production 100G EE units as specified in Section 4.2.3. The 100G EE(s) 
shall use approved design, parts, processes, tests and facilities from the development. The 100G 
EE(s) shall be fully functional, Type 1 devices and shipped according to the Security Procedures 
and Controls specified for this program. 


(U) In order to minimize the schedule risk associated with the procurement of long lead items the 
Contractor may order and procure the long lead material necessary for the execution of this 
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option as soon as the option is approved. The material shall be sufficient for the fabrication of 
the minimum quantities of production units identified in 4.2.3. 


3.4 (U) Design & Development Methodology 


(U) The Contractor shall follow a structured design, development and test methodology to insure 
that the system requirements are fully implemented, documented, and tested and can be 
independently analyzed and verified by the Government in support of system certification. The 
methodology provided below provides a guideline to the developer for a typical high assurance 
development effort. The methodology chosen by the Contractor shall include the following 
milestones: System Requirements Review, Preliminary Design Review, Critical Design Review 
and Test Readiness Review. These milestones shall be considered complete when: the review 
has been held; all documentation required up to that point has been delivered and accepted; all 
major issues (identified as such by the Government at the review) have been resolved to the 
Government’s satisfaction. 


3.4.1 (U) System Design 


(U) Development begins with a system design phase and shall culminate in a System 
Requirements Review (SRR). During this phase, the Contractor shall analyze system 
requirements, shall decide upon initial system architecture, shall make a preliminary allocation of 
requirements to hardware or software, and shall plan system level testing. 


(U) The contractor shall perform an analysis of the Telcordia GR-63-CORE (Environmental) and 
GR-1089 (EMC) requirement documents. The contractor shall investigate construction 
requirements and material selection and determine an appropriate subset to meet the 
requirements in the 100G EE SPEC. The contractor shall document the analysis (B003) and 
incorporate the findings into baseline SHRS. 


(U) During the system design phase, the Contractor shall prepare and maintain a system level 
requirement specification (Software / Hardware Requirements Specification (SHRS)) from 
which the requirement baseline and all system level testing requirements are derived. The SHRS 
shall be derived from the Government-provided requirements: 100G EE SPEC, TSRD, and 
IASRD. The Contractor shall begin and baseline the SHRS during this phase. The Contractor 
shall prepare and deliver the SHRS IAW the CDRL C005. 


(U) The Contractor shall track the allocation of these requirements to the elements that satisfy 
the requirements in the design. In addition to any other data stored which the Contractor may 
find useful, the Contractor shall record the requirement statement, a Contractor-assigned 
requirement number, the part of the implementation that satisfies the requirement, how the 
requirement is tested, and at what level of system integration the requirement is tested. The 
Contractor shall use this database to guide their test planning and test execution to ensure that the 
delivered system completely satisfies all system requirements. The Contractor shall report on the 
status of the requirements baseline at every major program review. 


3.4.2 (U) Preliminary Design 


(U) The Preliminary Design phase follows the System Design phase, culminating in a 
Preliminary Design Review (PDR). During this phase the Contractor shall complete the top-level 
hardware and software design. The Contractor shall further develop the system design, define 
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subsystems, decompose requirements and allocate them to subsystems, and begin planning 
system integration. 


3.4.3 (U) Detailed Design 


(U) The Detailed Design phase follows the Preliminary Design phase, culminating in a Critical 
Design Review (CDR). During this phase the Contractor shall completely develop the design of 
all subsystems to the point that they are ready to be implemented in the form of code, circuits, or 
hardware, including worst case analyses, timing analyses, thermal analyses, writing Preliminary 
Design Language, and other techniques. 


3.5 (U) Integration & Test 


(U) The System Integration phase follows the Detailed Design phase, culminating in a Test 
Readiness Review (TRR). During this phase the Contractor shall implement the designs 
integrate them into the 100G EE unit and test the resulting unit. 


3.5.1 (U) Test Readiness Review 


(U) After completion of dry run testing and prior to formal (i.e. Government witnessed) System 
Test, the Contractor shall host a Test Readiness Review (TRR) with the participation of the 
Government Program Office to assess readiness for system level testing. The TRR marks the 
completion of system integration and the beginning of system testing. 


3.5.2 (U) Design Verification 


(U*FOUCy Design verification ensures that the fully integrated 100G EE unit satisfies all system 
level requirements levied by this SOW and related documents. The Contractor shall produce a 
Design Verification (DV) Plan IAW CDRL B004. The Contractor shall develop procedures and 
perform all necessary testing, inspection and analysis IAW the DV procedure. The Contractor 
shall record the results of each test, track all test failures, and submit test results [AW the CDRL 
BO05. The Contractor shall make corrections and retests until all system requirements have been 
satisfied. The Government or a designated Government representative may witness formal 
Design Verification Testing. 


3.5.4 (U) Acceptance Test 


(U/FOCCy Acceptance testing ensures that the 100G EE units will meet the performance 
specifications and demonstrate error-free workmanship in manufacturing. The Contractor shall 
produce an Acceptance Test Plan IAW CDRL BO007. The Contractor shall develop procedures 
and perform all necessary testing, inspection and analysis [AW the Acceptance Test procedure. 
The Contractor shall record the results of the test and track all test failures. The Government or a 
designated Government representative may witness formal acceptance testing. 


3.5.5 (U) End Product Acceptance Review 


(U) The End Product Acceptance Review (EPAR) reviews the results of all system level testing 
leading up to Government authorization to proceed with production build and test. The 
Contractor shall host an EPAR to include a summary of all Design Verification testing, including 
design verification, security verification, qualification testing, and other tests. The EPAR shall 
include the status of problems encountered during integration and test, discrepancy reports, 
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deviations, waivers, and their corrective actions. The EPAR shall look forward, reviewing plans 
for fabrication, maintenance and training. The Contractor shall keep minutes of each review, to 
include action item lists and action closure, and shall submit them to the Government, [AW 
CDRL A002. 


3.6 (U) Quality Assurance 


(U) The Contractor shall establish a Quality Assurance (QA) Program. As a minimum, the 
Contractor shall establish a system for early detection and correction of errors, assure quality of 
system deliverables, assure quality of engineering data, and assure quality of purchased products. 
The Contractor’s documented QA program shall be made available to the Government for 
review upon request. 


(U) The Contractor shall establish and maintain a system of quality assurance records. These 
records shall comprise those reports and internal records developed/required by the contract in 
the normal performance of the quality control procedures to include: Contractor Acceptance 
Tests; System Level Tests (Design Verification, Design Verification, and SV); Engineering 
Drawing Audits and Inspections; and Technical Publications Validation/Verification and 
Inspection. These QA records shall be made available for review by the Government. 


3.7 (U) Configuration Management 


(U) The Contractor shall establish and maintain a Configuration Management Program, which 
shall include the establishment of a Configuration Control Board (CCB) to ensure all design and 
test related documentation and artifacts are maintained by a controlled process to ensure the as- 
built design and product are accurately captured. The Contractor shall ensure that all design 
changes are evaluated on a basis of performance, risk and affordability. 


3.8 (U) Software / Firmware Delivery 
3.8.1 (U) Software Delivery 


(U) The Contractor shall deliver all executable code IAW CDRL BO008 and BO09. In the event 
that contract funding or mixed funding is used in the development and the Government has 
Unlimited or Government Purpose Rights, the Contractor shall also deliver source code IAW 
CDRL BO008 and BO09. 


3.8.2 (U) Hardware Description Language Delivery 


(U) In the event that contract funding or mixed funding is used in the development and the 
Government has Unlimited or Government Purpose Rights, the Contractor shall submit HDL 
Files IAW CDRL BO10 and BOL1. The HDL files used to document the hardware designs in the 
fabrication of the electronic device shall be partitioned into two basic types: HDL design files 
and auxiliary files. 


3.9 (U) NSA CERTIFICATION 


(U) The Contractor shall architect, design, document, develop and test a Type | 100G EE that is 
compliant with the TSRD and IASRD identified in Section 2.0. The Contractor shall plan, 
perform, and report all testing required by the TSRD, to include TEMPEST and Security 
Verification testing. 


(U) The Contractor shall prepare, submit and work with the Government to obtain approval of 
the NSA certification related CDRLs contained in the TSRD. All certification CDRLs (CDRL 
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C001 — C021) submittals shall be in accordance with the format specified in the TSRD and 
associated Data Item Descriptions (DID). The Contractor shall deliver the CDRLs no later than 
the time specified in the TSRD. 


(U) The Contractor shall maintain all NSA certification documentation current and provide 
updates as required throughout this contract to ensure a complete and accurate certification 
package is presented to NSA certification. 


(U) As part of this development effort, the Contractor shall afford the Government the 
opportunity to witness any and all development activities and NSA required testing. Advanced 
notice of design reviews shall be provided to the Government such that reasonable lead-time 
exists for Government travel arrangements if travel is required. 


3.10 (U) Integrated Logistics Support 
3.10.1 (U) Preliminary Maintenance and Provisioning Concept 


(U) The Contractor shall develop and document a preliminary maintenance and provisioning 
concept for the 100G EE program CDRL D001. This concept should address requirements for 
future maintenance, test and support equipment in sufficient detail to maintain an end-state 
inventory of up to one hundred 100G EE units. The maintenance concept shall accommodate a 
two tier maintenance support structure as stated below. 


(U) Echelon 1 (E1) Support: The Government will provide a depot facility for El software 
and firmware upgrades and limited repairs (i.e. tamper recovery) for rapid turnaround 
support. 


(U) Echelon 2 (E2) Support: In-depth troubleshooting and repairs will be handled in E2 
maintenance activities as contract maintenance tasks. 


3.10.2 (U) Operator Training 


(U) The Contractor shall develop an Operator’s Training Plan IAW CDRL D002 and submit it to 
the Government for approval. The Contractor shall develop, document and conduct an initial 
training course (CDRL D003) IAW the approved Training Plan for up to 25 Government 
representatives. Training shall cover how to install, configure and operate the 100G EE unit. The 
initial training course shall be offered at the Contractor’s facility. The Contractor shall prepare 
and submit the training material for review and approval by the Government. 


3.10.3 (U) Operator Manual 


(U) The Contractor shall prepare and deliver an Operator Manual [AW CDRL D004. This 
manual shall describe how to install, configure and operate the 100G EE equipment. 


3.11 (U) Security 


(U) The Contractor shall prepare and submit a Program Protection Plan (PPP) (CDRL A004) to 
the Cognizant Program Security Officer (PSO). The PPP shall detail how security will be 
administered under this contract. The PPP shall identify a company Program Security Officer 
(Contractor PSO) by name to be final adjudicator on all security issues within the company and 
serve as the interface to the Government PSO that has been or will be trained to meet all 
Government security requirements. The PPP shall specifically address the protection construct 
for the 100G EE development including classified and unclassified facilities, personnel, and 
interfaces with sub-Contractors and information systems and identify security personnel and 
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their roles and responsibilities. The Contractor shall adhere to the approved PPP contents for the 
duration of the program. 


(U) The Contractor shall prepare and submit a System Security Plan (SSP) (CDRL A005) 
identifying all security policies, mechanisms and procedures for protection of all data systems 
used for the design and management of this program. The Contractor shall submit proof of 
certification and accreditation of all classified Information Systems for this program. The 
Contractor shall maintain these certifications and accreditations for the duration of the program. 


(U) The prime Contractor and all sub-Contractors shall have approved facilities and equipment 
for handling and storing classified data at the SECRET level for initial design work. The prime 
and all sub-Contractors shall maintain the necessary facility clearances for the duration of the 
program. 


(U) The Contractor shall appropriately mark any work product in accordance with the 
classification levels from the Government’s DD-254. Any Contractor generated work product 
that is classified is handled according to directives from the Defense Security Service (DSS) and 
the NISPOM or more current document. 


(U) The Contractor shall report all incidences promptly in accordance with the NISPOM, or 
more current document, to both their DSS representatives and the Government Program Office. 
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4.0 (U) DELIVERABLES 
4.1 (U) Contractual Data Requirements List 


(U) The Contractor shall deliver the documents identified in the list provided in the Table below. 
Unless a document format is otherwise noted, the Contractor shall use best commercial practices 
in preparing the documents. Deliverables shall be provided in Government-approved Contractor 
format: softcopy submission compatible with Microsoft Office environment on disk or CDR 
media, with a transmittal letter to the Contracting Officer and include the appropriate security 
classification markings. All magnetic media shall be virus tested by the Contractor using 
commercially available software for virus detection and eradication prior to delivery consistent 
with Government standards- 


4.1.1 (U) Administrative and Program Management 











CDRL TITLE 
A001 Program Management Review Package 
A002 Minutes w/ Action Items & Action Closure; 


Trip Reports 
A003 Program Management Plan 








A004 Program Protection Plan 
A005 System Security Plan 








A006 Design Review Package (and Agendas) 














A007 --Reserved-- 

A008 Contractor Work Breakdown Schedule 
A009 --Reserved-- 

A010 Integrated Master Schedule (IMS) 
AOI1 --Reserved-- 





A012 Contract Funds Status Reports (CFSR) 
A013 Data Accession List 

















Table is UNCLASSIFIED 
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4.1.2 (U) 100G EE Technical, Non-Certification CDRLs 


















































CDRL TITLE 
Bool 100G EE Increment 2 Requirements Analysis 
BO02 Concept of Operations Document 
BO003 Technical Report(s) 
B004 Design Verification Plan 
BOOS Design Verification Report 
B006 Reserved 
BO007 Acceptance Test Plan 
B008 Software Deliverables (e.g. source code, 
executables, and electronic media) 
BO009 Software Version Description (SVD) 
BO10 HDL Version Description (HVD) 
BOLI HDL Files 
Table is UNCLASSIFIED 
4.1.3 (U) 100G EE NSA Certification CDRLs 
Table is UNCLASSIFIED 
CDRL TITLE 





Cool Security Evaluation Document (SED) 





C002 


Security Verification (SV) Plan & 
Procedures 





C003 Security Verification (SV) Report 





Technical Report — Study/ Services; 


C004 Software Development Process 


Description Document” (SDPDD) 





C005 


Software/Hardware Requirement 
Specification (SHRS) 





Technical Report — Study/ Services; 


C006 Software /Hardware Design Description 


(SHDD) 





Technical Report — Study/ Services; 


C007 Software and Programmable Logic 


Evaluation Report (SPLER) 








Technical Report — Study/ Services; Sub 


C008 Title: Key and Certificate Management 





Architecture (KCMA) 
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CDRL TITLE 

Technical Report — Study/ Services; Sub 

C009 Title: Key and Certificate Management 
Plan (KCMP) 

C010 Key Specification 

Coll Physical Configuration Audit Plan 
(PCAP) 

C012 Physical Configuration Audit Report 
(PCAR) 

C013 --Reserved-- 

C014 TEMPEST Test Plan 

COIS TEMPEST Test Report 

C016 In-Process Accounting Procedures 
Security Production Assurance (SPA) 

C017 page 
Description 

C018 Product Drawings/ Models and 
Associated Lists 

C019 --Reserved-- 

C020 Information Security (INFOSEC) 
Anonymity Plan 

C021 Engineering Change Proposal (ECP) 








Table is UNCLASSIFIED 


4.1.4 (U) Sustainment Documentation 





CDRL 


TITLE 





D001 


Maintenance and Provisioning Concept 





D002 


Training Plan 





D003 


Training Course Materials 








D004 





Operator’s Manual 





Table is UNCLASSIFIED 


4.2 (U) Hardware Deliverables 
4.2.1 (U) Engineering Development Models (EDMs) 


(U) The Contractor shall deliver eight (8) 100G EE EDMs with SR10 pluggable optics, power 
cables and other ancillaries required for operation. The units shall be covered by a minimum of a 


one year Contractor repair warranty. 
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4.2.2 (U) 100G EE Manager Software 


(U) The Contractor shall develop 100G EE Manager software that performs remote management 
of 100G EE units in the enterprise and displays the information in a consolidated interface. 
Development of the 100G EE Manager software should not impact the delivery schedule for 
100G EE Increment | hardware. The Contractor is encouraged to leverage existing management 
software that may provide similar functionality. The Contractor shall provide software updates, 
including patch updates during warranty period. 


4.2.3 (U) Certified Production Units 


(U) The Contractor shall deliver additional 100G EE productions units as required under an 
Indefinite Delivery Indefinite Quantity (IDIQ) CLIN. The IDIQ contract option is identified 
under Federal Acquisition regulation (FAR) 16.504 for the period of performance specified in 
the contract. 


(U) The delivery orders issued under the contract will be Firm Fixed Price for the purchase of 
100G Ethernet Encryptor Units. 


(U) The minimum quantity of 100G EE to be ordered during the period of program shall be 10. 


(U) The maximum quantity of 100G EE to be ordered during the period of program shall be 250. 
However, there may be a potential for the Government to exceed the original unit maximum. 


(U) The Contractor shall comply with FAR regulations related to Authorization of Fixed Price 
Task or Delivery Orders (MAR 2009). 


(a) The following CLINs or SubCLINs in this contract are for fixed-price delivery orders: 


CLIN SubCLIN Contract Type 
005 001 (Long-Reach configuration) FFP 
005 002 (Short-Reach configuration) FFP 


(b) When requested, the Contractor shall submit a delivery order, as specified by the Contracting 
Officer, for the performance of delivery order to be placed under the CLIN(s) identified in the 
table above. Each delivery order shall contain details of the delivery order, the CLIN under 
which the work will be performed, and the total price or cost for the work to be performed in the 
detail specified by the Contracting Officer. Delivery orders in response to said proposals will be 
serially numbered, dated, and signed by the Contracting Officer before transmittal to the 
Contractor. In no event shall the cumulative firm fixed price of all orders authorized exceed the 
firm fixed price set forth in Section B for the designated CLIN(s). 


(c) Each delivery order will specify: (1) the CLIN under which the delivery order has been 
placed; (2) the delivery order price (3) Delivery Date (4) Hardware Configuration (e.g. Pluggable 
Optics). Within ten calendar days after receipt of each delivery order, the Contractor shall submit 
a written notice to the Contracting Officer indicating acceptance or non-acceptance of the 
delivery order. Each delivery order accepted by the Contractor shall be deemed to be 
incorporated into this contract by reference. Failure of the Contractor to provide written 


UNCLASSIFIED//FOR OFFI ONLY 


Approved for Release: 2019/08/21 C05107448 


Page 20 of 23 


Approved for Release: 2019/08/21 C05107448 
UNCLASSIFIED//FOR OF ONLY 


acceptance to the Contracting Officer shall be considered non-acceptance of that delivery 
order. The Contractor understands that acceptance of a delivery order obligates the Contractor to 
complete all the effort required by that delivery order for the firm fixed price set forth therein. 


(d) In the event the sum of the firm fixed prices of all delivery orders authorized hereunder is less 
than the total price of the designated CLIN(s), the price of said CLIN(s) shall be modified to 
equal the total price of all task/delivery orders authorized. 


(e) No delivery order shall be issued under this provision until sufficient funds are allotted to 
cover the work. Incremental funding of delivery orders shall be governed by the provisions of 
the Limitation of Government's Obligation clause. 
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(U) APPENDIX A — Acronyms 


(U) NOTE — All Acronyms are UNCLASSIFIED 


100G EE 
ANSI 
ASIC 
CDR 
CDRL 
CFSR 
CONOP 
COTR 
CPR 
DID 
DSS 
DV 
ECP 
EDE 
EDM 
EIA 
EKMS 
EPAR 
ESS 
FPGA 
FSDA 
GFE 
GFI 
HDL 
IASRD 
IAW 
IDIQ 
INFOSEC 
KMP 
NISPOM 
NSA 
PCA 
PDR 
PSO 


QA 


100 Gigabits per second Ethernet Encryptor 
American National Standards Institute 
Application Specific Integrated Circuit 
Critical Design Review 

Contract Data Requirements List 

Contract Funds Status Report 

Concept of Operations 

Contracting Officer’s Technical Representative 
Contract Performance Report 

Data Item Description 

Defense Security Service 

Design Verification 

Engineering Change Proposal 

Ethernet Data Encryptor 

Engineering Development Model 
Electronic Industry Association 

Electronic Key Management System 

End Product Acceptance Review 

Ethernet Security Specification 

Field Programmable Gate Array 

Fail-Safe Design Analysis 

Government Furnished Equipment 
Government Furnished Information 
Hardware Description Language 
Information Assurance Security Requirements Directive 
In Accordance With 

Indefinite Delivery Indefinite Quantity 
Information Security 

Key Management Plan 

National Industrial Security Program Operating Manual 
National Security Agency 

Physical Configuration Audit 

Preliminary Design Review 

Program Security Officer 

Quality Assurance 
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SED Security Evaluation Document 

SOW Statement of Work 

SRR System Requirements Review 

SV Security Verification 

SVD Software Verification Description 

SVT Security Verification Test 

TRR Test Readiness Review 

TSRD Telecommunications Security Requirements Document 
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